It's true that the vast majority of reported mobile malware instances target the Android platform. Those using OS devices tend to feel a bit smug, protected by the platform's inherent security. Here's a Black Hat 2014wake-up call folks: iOS has holes in it too. Yeongjin Jang, Tielei Wang, and Billy Lau, all from Georgia Institute of Technology, tag-teamed a presentation that showed just how vulnerable an iOS device can be.

What's the worst thing malware could do to your smartphone? How about running unsigned code with root permissions, evading the sandbox, and defeating mandatory code signing? That's a long way of saying, your phone is pwned. And that's exactly what this session demonstrated.

Research Scientist Billy Lau explained in detail just why it hard to jailbreak an iPhone. Briefly, you have to get past the secure boot chain, evade mandatory code signing, somehow get your app out of the sandbox, and manage a privilege escalation attack. A successful jailbreak attack requires exploiting many different vulnerabilities.

Evasi0n7 Redux The whole project started with evasi0n7, a jailbreak attack that worked on iOS 7 but got patched in 7.1. Nine distinct vulnerabilities went into evasi0n7; Apple patched five of them. The research team got busy, looking for ways to replace those five parts of the puzzle.

At this point the presentation shifted into a highly technical mode. Not having ever been a Mac or iOS programmer, I didn't follow the details well enough to convey them. But I got the point; they succeeded. They devised an attack with the ability to jailbreak an iOS device. It wasn't easy, and the iOS device had to be attached to a Mac for the attack to succeed. But they did it.

Limitations Jang explained that the attack has some limitations. They could not actually patch the kernel, could not totally disable the sandbox, and could not debug the kernel. After each reboot of the phone, they would have to run a special program to once again disable the check for signed code. Even so, they did an impressive job building on the example of evasi0n7.

If Apple had patched all nine vulnerabilities, would this group still have succeeded? Based on what I saw, I wouldn't be surprised. The one thing Apple can't change is the pattern of attacks that evasi0n7 used. These researchers managed to replace five components of that pattern; quite possibly with some work they could have managed four more. One thing's for sure; if they ask to hook my iPhone up to a Mac for a while, I'll definitely say no.

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted b... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.